Index: openssh-7.2p2/auth2-hostbased.c =================================================================== --- openssh-7.2p2.orig/auth2-hostbased.c +++ openssh-7.2p2/auth2-hostbased.c @@ -93,9 +93,11 @@ userauth_hostbased(Authctxt *authctxt) error("userauth_hostbased: cannot decode key: %s", pkalg); goto done; } - if (key->type != pktype) { - error("userauth_hostbased: type mismatch for decoded key " - "(received %d, expected %d)", key->type, pktype); + if (key->type != pktype || (sshkey_type_plain(pktype) == KEY_ECDSA && + sshkey_ecdsa_nid_from_name(pkalg) != key->ecdsa_nid)) { + error("userauth_hostbased: key type mismatch for decoded key " + "(received %s, expected %s)", + sshkey_ssh_name(key), pkalg); goto done; } if (key_type_plain(key->type) == KEY_RSA && Index: openssh-7.2p2/auth2-pubkey.c =================================================================== --- openssh-7.2p2.orig/auth2-pubkey.c +++ openssh-7.2p2/auth2-pubkey.c @@ -112,9 +112,11 @@ userauth_pubkey(Authctxt *authctxt) error("%s: cannot decode key: %s", __func__, pkalg); goto done; } - if (key->type != pktype) { - error("%s: type mismatch for decoded key " - "(received %d, expected %d)", __func__, key->type, pktype); + if (key->type != pktype || (sshkey_type_plain(pktype) == KEY_ECDSA && + sshkey_ecdsa_nid_from_name(pkalg) != key->ecdsa_nid)) { + error("%s: key type mismatch for decoded key " + "(received %s, expected %s)", __func__, + sshkey_ssh_name(key), pkalg); goto done; } if (key_type_plain(key->type) == KEY_RSA && @@ -564,20 +566,23 @@ exited_cleanly(pid_t pid, const char *ta static int match_principals_option(const char *principal_list, struct sshkey_cert *cert) { - char *result; + char *list, *olist, *entry; u_int i; - /* XXX percent_expand() sequences for authorized_principals? */ - - for (i = 0; i < cert->nprincipals; i++) { - if ((result = match_list(cert->principals[i], - principal_list, NULL)) != NULL) { - debug3("matched principal from key options \"%.100s\"", - result); - free(result); - return 1; + olist = list = xstrdup(principal_list); + for (;;) { + if ((entry = strsep(&list, ",")) == NULL || *entry == '\0') + break; + for (i = 0; i < cert->nprincipals; i++) { + if (strcmp(entry, cert->principals[i]) == 0) { + debug3("matched principal from key i" + "options \"%.100s\"", entry); + free(olist); + return 1; + } } } + free(olist); return 0; } Index: openssh-7.2p2/sshconnect2.c =================================================================== --- openssh-7.2p2.orig/sshconnect2.c +++ openssh-7.2p2/sshconnect2.c @@ -90,15 +90,46 @@ u_int session_id2_len = 0; char *xxx_host; struct sockaddr *xxx_hostaddr; +static int key_type_allowed(Key *, const char *); static int verify_host_key_callback(Key *hostkey, struct ssh *ssh) { + if (!key_type_allowed(hostkey, options.hostkeyalgorithms)) { + fatal("Server host key %s not in HostKeyAlgorithms", + sshkey_ssh_name(hostkey)); + } if (verify_host_key(xxx_host, xxx_hostaddr, hostkey) != 0) fatal("Host key verification failed."); return 0; } +static int +key_type_allowed(Key *key, const char *allowlist) +{ + if (match_pattern_list(sshkey_ssh_name(key), allowlist, 0) == 1) + return 1; + + /* RSA keys/certs might be allowed by alternate signature types */ + switch (key->type) { + case KEY_RSA: + if (match_pattern_list("rsa-sha2-512", allowlist, 0) == 1) + return 1; + if (match_pattern_list("rsa-sha2-256", allowlist, 0) == 1) + return 1; + break; + case KEY_RSA_CERT: + if (match_pattern_list("rsa-sha2-512-cert-v01@openssh.com", + allowlist, 0) == 1) + return 1; + if (match_pattern_list("rsa-sha2-256-cert-v01@openssh.com", + allowlist, 0) == 1) + return 1; + break; + } + return 0; +} + /* Returns the first item from a comma-separated algorithm list */ static char * first_alg(const char *algs)